Need help in the lab - APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills

Question

I am currently working through the APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills lab and would appreciate your assistance in reviewing or clarifying a few specific questions. Despite thorough log analysis and validation via Splunk queries, the following questions are not accepting what I believe to be correct answers:Q10. A PowerShell script was initially executed to extract encoded data from an image file. What is the full ParentCommandLine field value used to execute this?Q11. This PowerShell script was added to a registry key that was used to bypass user access control. What other value was set on the same key to facilitate this?Q15. what was the name of the service created to obtain a means of persistence?Q23. What is the name of the executable that's executed by the persistence mechanism placed in the Windows Startup folder?

veryk · Answer

that's funny, I came here stuck on 16 looking for help. I can help you with 10, 11 and 15 though. Did you want to share what you think the answers are, me give you a hint, the answer?&nbsp;

veryk · Answer

Ironically looking at 15 helped me to finally solve 16. I can also help you with 23 if you need as well.&nbsp;

Forum Discussion

Need help in the lab - APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills

2 Replies

Featured Places

Community Forum

Related Content

APT29 Threat Hunting with Splunk: Ep.11 – Demonstrate Your Skills - Question to Q9

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

APT29 Threat Hunting with Splunk Ep.11 Q11

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs

Recent Discussions

help with A Christmas Catastrophe: A Letter to Santa

Incident Response: Suspicious Email – Part 2

powershell-deobfuscation-ep-8

PowerShell Basics/Remoting Lab is missing the tasks.

Yellow Banner You are not licensed to view this lab